ci: add snyk scanning

adding snyk github action to
run when a PR is merged to the release
branch or when a new release is done.
Run snyk weekly on the devel branch.
This will help us to track the security
scanning results and fix if anything is
required and also it serves as a placeholder
for security scanning result for a while.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
This commit is contained in:
Madhu Rajanna 2023-11-15 09:45:45 +01:00 committed by mergify[bot]
parent 4ee466b4b4
commit 6b3665b80c

30
.github/workflows/snyk.yaml vendored Normal file
View File

@ -0,0 +1,30 @@
---
name: Security scanning
# yamllint disable-line rule:truthy
on:
schedule:
# Run weekly on every Monday
- cron: '0 0 * * 1'
push:
tags:
- v*
branches:
- release-*
permissions:
contents: read
jobs:
security:
if: github.repository == 'ceph/ceph-csi'
runs-on: ubuntu-latest
steps:
- name: checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: run Snyk to check for code vulnerabilities
uses: snyk/actions/golang@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}